Spyware Sucks

The latest on the 912945 Activex update and the optional compatibility patch.

Ok, so I was confused.  On the one hand we had Mike Nash saying it would be "deployed like a hotfix" (which to me means phone MS and ask for it).  On the other hand, I had an email from MS saying that the optional compatibility patch would be available via the Download Centre, which certainly isn't standard operating procedure for hotfixes.

Jeff Centamino has been chatting via email with Mike Nash about the situation, and has posted details of the conversation with permission - it clears things up very nicely:
http://windowsconnected.com/blogs/jeff/archive/2006/03/31/1524.aspx

The important thing to understand is that the optional compatibility patch is no more than a temporary stopgap.  *ALL* of us will have to learn to adjust to the changes wrought by the 912945 update by, at the time of writing, June - yes, even Siebel customers.

Have you taken the Phishing IQ test?

http://www.mailfrontier.com/forms/msft_iq_test.html

I achieved 8 out of 10... spotted all the phishing emails just fine, but also attributed falsity to two legitimate ones... go figure...  better safe than sorry, I suppose.  I'd have been real grumpy with myself if I'd marked a phish as legitimate...

I keep saying it - DON'T CLICK ON THOSE LINKS!!!

Websense reports that bad end of town have started using the createTextRange vulnerability in an attempt to infect victims with a keylogging trojan that monitors activity on various (undisclosed) financial websites and sends the recorded information to the attacker:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=452

Repeat after me - "I will not click on links in unsolicited emails... I will not click on links in unsolicited emails... I will not click on links in unsolicited emails..."

Got it? Good.

Note the "unsolicited" bit.  You may have subscribed to an email alert service and it would be a bit silly to do that and then not use the links in the emails they send you.  As for me, I've moved away from such things and always try to use RSS to pull down alerts from the various services I subscribe to, or I simply go to the Web site and browse:

http://www.websensesecuritylabs.com/RSSFeed.php

Let's do some SERIOUS procrastinating....

Between disobedient Excel sheets with a VLOOKUP that didn't work, and chatting with friends who have been quiet too long I have got little work done... so, if the night is fried anyways, and there's no way my already-late column will be submitted tonight, let's go out with a bang....

I've subscribed to this site for ages... sure, some (hell, a lot at times) its kinda boring, there are some marvellous one liners and some exquisitely sarcastic commentaries about the online gaming world - I love it .. what's with the spaceship named "PKSS Haxor"
http://www.thenoobcomic.com/daily/strip001.html

"Woah, its all slow like the matrix"... "It's LAG, dumbass"

Ok, its immature, but its still funny.

Its getting late.. gonna be AFK for a while ;o)

A new phishing trick...

Do you trust a bank that can be hacked like this?
http://www.itnews.com.au/newsstory.aspx?CIaNID=31268

Phishers hacked into three legitimate Florida bank sites, being Capital City Bank, Wakulla Bank and Premier Bank and then planted a script that redirected victims from the real banks' sites to a phishing site.

We've always advised users to type their Bank's URL into the address and never click on links.  To this I have added always checking the status bar and addressbar (http://www.microsoft.com/windows/ie/community/columns/saferbrowsing.mspx) and using the IE phishing filter, and before that SpoofStick.

The banks says that they detected and resolved the issue "within an hour" but that is beside the point.  I wonder how many customers were affected during that time... then, on top of that, there is the risk of malware, trojans and other hostile activities that may be hosted by the phishing sites. 

High trust sites such as online banking sites simply *must* be as secure as they can be.   On this occasions the systems were running IIS and so far I have found no information about whether a known vulnerability was used to hack into the servers, or something else.

People, be careful, always.  Watch your status bar and watch your address bar (which, in IE7, are both always exposed unless consciously disabled by the user).  Enable IE7's phishing filter or get the MSN Toolbar if you can't run IE7 which also includes a phishing filter.  And practice safe hex:

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Spam code threatens $10m fine

"INTERNET service providers could face massive fines if they do not comply with new rules set down by the communications watchdog.

The Australian Communications and Media Authority (ACMA) today registered the world's first legislative code of practice for internet and email service providers.

...[U]nder the new code, ISPs will have to offer spam filtering options to subscribers and provide a system of handling complaints.

They will also have to impose reasonable limits on the rate at which subscribers can send email..."

Cite:
http://australianit.news.com.au/articles/0,7204,18632881%5E15318%5E%5Enbv%5E,00.html

Mike Nash of MS comments on the 912945 ActiveX update

Pretty much confirms everything I've been saying all along:
http://blogs.technet.com/msrc/archive/2006/03/29/423560.aspx

One thing I didn't know was this:

"we will create a “compatibility patch” (deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2^nd Tuesday in June) to provide time for enterprise customers to resolve compatibility issuess [sic]"

"Deployed like a hotfix" tells me that the patch will only be available by contacting MS Support and convincing them that the patch is needed.  End users should not expect that it is going to be made available to them simply because they don't like the new activex behaviour.

The eEye hack for the createTextRange vulnerability

Summary:  My advice? Don't install it.

(Please forgive any grammatical or logical flow errors - I'm running real short of time but wanted to get this live before starting my work day).

Two MS security bloggers have mentioned the eEye "patch" that protects against the createTextRange vulnerability.

http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/ms_schweiz_security_blog/default.aspx

Both bloggers recommend that the patch not be installed. 

Ok, I admit - the vulnerability is being exploited. That's bad.  But, at the same time we need to have a realistic look at what is going on and compare risk to reward.  On balance, after considering all the information I'm privy to (public and private) I have to say that I agree - do not install the third party patch.

Historically, third party patches and hacks have been problematic.  Let's look at a couple of recent examples.

WMF Exploit hack
The WMF exploit patch was messy - to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection).  The changed file was also causing Windows Update to offer old security patches.  Deregistering shimgvw.dll stopped Windows Picture and Fax Viewing from working.

The IE6/IE7 side by side hack
The IE6/IE7 side by side hack caused various symptoms, including opening a browser window that promptly hangs IE, opening links that render blank, and multiple windows opening when initiating a browser session.

The eEye hack (I refuse to call it a patch) doesn't fix the CreateTextRange vulnerability... it messes around with how Windows works.  We have no way of knowing what may be broken by this change.

"Ah, but at least I'll be safe" I hear you say.  "Safe from what?" says I.  Let me explain.

First, according to http://www.microsoft.com/technet/security/advisory/917077.mspx "Antivirus companies indicate that attacks that exploit this vulnerability are being effectively mitigated by antivirus software with up-to-date signatures".  The antivirus companies that have confirmed they provide protection against known vectors include:

Symantec
Computer Associates
McAfee
F-Secure Corporation
Panda Software International
Aladdin
Sophos
Eset Software
Trend Micro
Windows Live OneCare
 
Do you have up-to-date antivirus? Does it detect files that attempt to exploit the vulnerability?  If so, why take the risk with a third party hack?

Second, sure there are lists going around warning that there are hundreds of sites that are taking advantage of the exploit.  But, actually hitting one of those sites is needle-in-a-haystack stuff.  Seriously.  I've seen real-world, whats-actually-happening statistics that convince me that the risk of being hit by the exploit is not sufficient to risk damage that may be caused to a system's operation by the eEye changes.

On balance, considering the fact that MS and law enforcement have been very proactive in getting exploit sites shut down, considering the fact that there are not "hundreds" of sites out there (the number is far lower than that), considering the list of antivirus programmes that protect against known vectors, considering the fact that you'll have to be *real* unlucky to hit one of the sites that is still live without being taken by the hand and shown how to get there, and considering there are safer ways to protect yourself against the risk of exploit (disable active scripting or set to prompt), I say don't install the patch.

BTW, SANS Internet Storm Centre agrees - not with me per se, but with the risk assessment that the eEye patch shouldn't be installed:
http://www.incidents.org/diary.php?storyid=1226

Uh oh... got this weird bright spot on my laptop screen...

Ok, so I've heard of dead pixels... got one of the damned things on my digital camera screen... but a patch of glowing, overbright, white, pixels?? If I rub the area 'just right' with a fingertip the overbright patch goes away, but only for a few seconds. Wassup with that?  It doesn't show up in a screen scrape, so I can't even show it to you... its the weirdest thing... its like somebody is shining a really tiny torch at the screen.  I wonder if this laptop is still under warranty ((oy Peter, let's talk about that laptop you sold me!!!!  Damn, he's overseas)

Just what I need... more hardware problems... what with the UPS committing seppuku (also known as "hari kari" for the benefit of you gaijin), and nearly losing my RAID1 when a hard drive failed, and the lift (aka elevator) at the office refusing to move as soon as I stepped into the flipping thing (I swear, that building hates me), and I/0 hardware errors affecting my backup tape drive, and schizophrenic printer drivers on the network, the last thing I need is weirdly funky screen issues on my laptop.

Yes, yes, I know.. you read this blog for more important stuff than weird display glitches on my laptop and an impromptu lesson in Japanese lingo ... I promise I'm in the middle of completing a very cool article on IE's phishing filter for the Internet Explorer Community at microsoft.com, so hang in there - there are statistics and everything ;o)

Cat days....

 
I love it... had a cat day recently?  I reckon the IE team feels like this sometimes...

New: Phishing Incident Reporting and Termination Squad

http://wiki.castlecops.com/PIRT

"...CastleCops and Sunbelt Software are announcing a new anti-phishing community, the Phishing Incident Reporting and Termination (PIRT) Squad. This will be a community at CastleCops solely dedicated to taking down phishing sites..."

I understand the desire and sentiment, but its going to be heavy going for PIRT and the handlers they choose.  I've seen some interesting public statistics at the Antiphishing Working Group and private statistics elsewhere that reflect some pretty scary numbers...For example, in the APWG January report it notes that it received over 17,877 *unique* phishing reports just in that one month.

PIRT is calling for around 50 handlers (obviously from around the world) to review new submissions on a 24/7 global basis.  Can 50 or so handlers manage with that sort of volume? Assuming a 30 day month, that's 11 reports per handler per day.

The number of new phishing sites has more than doubled since November last year.

New phishing sites by month:

November - 4630
December - 7197
January - 9715

A multi-layer collaborative approach is very effective. I'm hoping the data is shared not just with the "appropriate authorities" (law enforcement?) but also with Microsoft and other groups that are fighting the phishers by offering detection and blocking of same.

Ever had one of those nights when you wonder why the hell you bother?

Oh dear, not good - createTextRange again

http://isc.sans.org/diary.php?storyid=1221

"... It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get ... The malware FTP's all the information out to a location.  It also has email capability. ..."

Hmm, some grammatical amendment is required on that page :o)

Firefox myths

Ok, so I'm in a bit of a cheeky mood this morning - I don't know how many of you read Tony Chor's blog, but he highlighted this site today:

Firefox extensions: Well, they do say imitation is the most sincere form of flattery

Internet Explorer 7's Quick Tabs feature was unveiled back in mid-September last year:
http://www.ie-vista.com/quick_tabs.html

Version 0.1 of Viamatic foXpose was released in November 2005:
https://addons.mozilla.org/extensions/moreinfo.php?id=1457&vid=7825

Now at version 0.3:
https://addons.mozilla.org/extensions/moreinfo.php?id=1457

I think IE7's version is far... neater... less crowded/messy than the Firefox version ;o)

Do you know what is *really* in your Internet Explorer cache and cookie folder?

I was able to get back into the Internet Explorer general newsgroup tonight for the first time in a week or so, and noted a user or three were confused about what they thought were non-cookie files in their cookie folders.

This... phenomenon... has been around for years.  What you are seeing in the cookie folder is not what is actually in there.  For example, check out this screen shot of my cookie folder. I'm sure you will see a similar mix of file types on your own system.

Ok, now you've checked out the view... open a CMD window and navigate to your cookie folder.  Run the command as displayed in the screen shot below.  The /p switch will ensure that only one page of files will display at a time.  Hit the enter key to display one page of content at a time.

You will see that the only content reported by the dir /p command are TXT files.  Why is this so?  You and I both saw many different file types in the cookies folder when using Windows Explorer, not just txt files.

Following is an old quote from Tom Koch of www.insideoe.com fame - he explains it so well, why rewrite it?  He is discussing Cache View as it applies to temporary internet files, but the same theory can be applied to what is being seen in the cookies folder.

"...What you see is an illusion created by Windows Explorer. It is designed to show you what we might call the Cache View when you open *any* folder that is part of the Temporary Internet Files. If you are on a machine with multiple user profiles, this prevents you from seeing the contents of another user's cache. Looking at any of them will cause Explorer to display the Cache View only for the current user, i.e., yourself. If you want to verify this for yourself, click Start|Run and type without quotes "winfile". That will open the old 16-bit File Manager from Win3.x, which does not know how to display the Cache View. Be careful though. Do NOT attempt to change anything at all on your computer with File Manager, as it is not aware of long file names. Just use it to peek into the cache folders and you'll see that each folder contains different files.

You might also notice that the Cache View displays all the cookies for the current user. These are not even stored in the Temporary Internet Files folder. They are kept in c:\windows\cookies, or under \windows\users\<name>\cookies. They are included in the Cache View only as a convenience.

Finally, in case you are wondering, the cache folder itself is divided into subfolders in order to make it more efficient. The subfolders are given random names as a security precaution..."

Then there is Gary Terhune's "smoke and mirrors" explanation of cache view:
http://groups.google.com/group/microsoft.public.win98.gen_discussion/msg/2b98fb19368d8a5d

Confirmed: createTextRange vulnerability is being exploited

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=P

I do note on the diagram that it stipulates that only the "January edition" of Internet Explorer 7 Beta 2 Preview is vulnerable. 

There has been a lot of confusion about whether the March build (that is, 5335.5) is vulnerable to the createTextRange exploit because, despite the MS Security Blog and the Technet article noting that IE7 Beta 2 Preview Mix06 Build is not affected, other sites stated that the IE7 Beta 2 Preview was affected without stipulating build, and some stated IE7 Beta 2 (not the Preview) was vulnerable ... umm, guys... IE7 Beta 2 hasn't been released to the public yet. 

Now, if only MS would update their own advisory (http://www.microsoft.com/technet/security/advisory/917077.mspx) which, although it states that IE7 build released on March 20 is not affected, does not list earlier versions of IE7 in the "Related Software" list.

Boy, did I just give myself a fright adding the first PC to my new network...

As you all know, I am the proud owner of a brand, spanking new HP Proliant running SBS2003.  Things have been busy around here so I hadn't got around to setting up client computer accounts and then adding computers to my domain before tonight.

I nearly messed up big time.  Setting up the user accounts was easy.  Setting up the client computer accounts was easy.  Going to connectcomputer and adding the first computer to the domain was easy... the reboot and installation of applications was not ... because I forgot to disable Trend PC-Cillin Internet Security beforehand.  The PC hung at 'applying computer settings' and would only successfully boot into safe mode.

Talk about feeling like an absolute idiot ... I have *always* stressed how important it is to disable antivirus when installing software... it simply didn't occur to me that Trend (likely the firewall) would block adding the computer to the domain... damn it, I should be better than this.  I should have been warned by the two firewall prompts before reboot.. but silly me though that accepting those two prompts before the reboot would be sufficient to allow the process to conclude successfully.

Anyway, I sat there scratching my head and fretting.. do I power off?  Leave it stuck where it is until one of my two friendly SBS experts comes online? They, unlike me, have a life therefore I had no idea how long that would be.  Stuff it, says me, I'll try to fix things... its only my jukebox PC therefore if I have to reformat, no big deal (although I do cringe at the thought of having to rebuild... hundreds of copy CDs... specialised surround sound software... lots of tweaks...).

Ok, force the power off and reboot in safe mode.

Disabling Trend's only startup entry in msconfig then restarting didn't work. 

Disabling all other third party applications startups in msconfig then restarting didn't work. 

The only thing that worked was to disable all Trend related services via services.msc.  *That* allowed the process to complete.. a couple of reboots.. install the client applications and I was done (relieved).  Damn, I was lucky.  Its just as well SBS is very tolerant of such boo-boo's and multiple forced power offs - many other applications wouldn't be - you'd be looking at a fried machine.

There is still a bit of a mess to clean up - there was an error about being unable to delete the _sbs_netsetup__ user account, and in Server Management there was an aberrant entry under the old name for the PC I'd just added to the domain - I deleted that entry but Server Management threw an error about being unable to delete the entry and to please use "Active Directory Users and Computers" to delete it (despite it being gone from the client computer list).  I'm not sure how to delete the _sbs_netsetup__ account on the PC - certainly it has a presence in "Documents and Settings", but there is nothing under Users in Control Panel.  Edit re deleting _sbs_netsetup__: One of my knights-in-shining-armour came to my rescue - right click "My Computer", select "Properties", navigate to the "Advanced" tab, select "User Profiles", select "Unknown Account", delete.

I have no idea what other damage I may have done by leaving Trend enabled - only time will tell ... it reminds me of how I got into this MVP gig in the first place... left my AV running when installing a free copy of Outlook 95?98? way back then, totally wrecking some software in the process.. being the stubborn type I wouldn't reformat and was determined to fix things.. the rest is history.

Lesson learned - uninstall Trend PC-Cillin Internet Security COMPLETELY before trying to add a computer to a domain... don't just stop it from loading .. disable all Trend Services.  In fact, I'd extend that to say disable *any* firewall that may be running on the PC being added it to a domain, assuming of course that you are otherwise protected by ISA or a hardware firewall (such as on your router).

I'll admit to being uncomfortable with no Trend firewall on my internal network - if a virus, trojan or malware of some type gets onto a PC in my network via, for example, somebody clicking on something in an email, my router firewall is *not* going to stop that nasty from bouncing from PC to PC on my internal network.. gotta look into that.

Anti-phishing Working Group January report is now available.

http://www.antiphishing.org/

The report notes that January 2006 was a record month not only for number of reports, but also a record month for unique phishing websites, and also for "unique" password stealing applications.

Please download the PDF report and have a read - knowledge is the best defence.

Even if you *know* that a site is a phishing site, and even if you have absolutely no intention of handing over sensitive personal information, don't go there.

Let's consider the createTextRange vulnerability which is not yet patched.  Since disclosure of the existence of the vulnerability, and the publication of "proof of concept" pages, there have been a few sites discovered that try to take advantage of the vulnerability.  I don't know if the discovered sites are phishing sites, but there is no reason to dismiss the possibility.  It doesn't matter how good your antivirus is, or how up to date you are with patches, if there is an unpatched vulnerability around, the bad guys will try to use it so don't take the risk of checking out phishing sites purely to satisfy curiosity.

Internet Explorer feedback

The Internet Explorer feedback site is now live - its hosted on connect.microsoft.com, which means you will need a Passport ID to use it.

The IE team have posted a detailed blog entry about the new site - go check it out:
http://blogs.msdn.com/ie/default.aspx